Practical Ecommerce

Ask an Expert: How to Expedite Credit Card Fraud Detection

“Ask an Expert” is an occasional feature where we ask ecommerce experts questions from online merchants. For this installment, we address a question about credit card fraud detection. It comes from Jamie Salvatori, the founder and owner of an online novelty gift store called Vat19.

For the answer, we turn to , an ecommerce consultant, trainer and speaker, and regular blogger and contributor to Practical eCommerce.

If you’d like to submit a question, email Kate Monteith, staff writer, at kate@practicalecommerce.com and we’ll attempt to address it.

Jamie Salvatori

Jamie Salvatori

Jamie Salvatori: “We seem to spend too much time reviewing orders to try to detect cases of fraud. Beyond using the address verification system (AVS) info (which is sometimes stolen along with credit card numbers), how are larger businesses handling it? We are a gift store, so we can’t limit our shipping only to the customer’s billing address. That would kill our business.

“Credit card companies put all of the onus on the merchant, yet they seem to provide very little information to help us detect fraud. Should we be writing custom software to look for ‘red flags,’ such as expedited shipping or international locations? Or, is there anything else we can do?”

 

Pamela Hazelton

Pamela Hazelton

Pamela Hazelton: “The AVS and Card Security Code (CSC, which is commonly referred to the CVV/CID numbers on the credit card) were both introduced to help deter fraud. The idea was that AVS helped protect consumers by matching the billing address entered to the address on file with the credit card company, and that only the cardholder would have access to the three or four digits on the front or back of the card. This made thieves work harder to get their hands on all details necessary in order to submit a successful transaction; in turn, identity and mail theft went on the rise.

“There are a few quick and easy steps you can take to help identify fraud, and it starts with the payment gateway.

“Be sure to look at your daily reports from your payment gateway before processing orders. The transaction list will show you all transaction attempts, including declined ones. Since a number of thieves use online stores as a testing ground (trying to find balances and cards that are still active), several attempts placed on a single order may be an indicator of card testing and fraud.

“If your shopping cart supports it, you could also utilize a failed-attempt lockout feature. This functionality uses IP- and/or cookie-based protocols to ‘lock out’ a customer if the card number entered fails a defined number of times. For example, you could configure the system to lock the visitor for an hour if the gateway returns three successive declines.

“You may also consider paying for add-on fraud services. Many payment gateways offer these services, which run additional searches on a card number (beyond standard AVS and CSC) to determine if the card has recently been reported stolen or has a reputation of frequent chargebacks and fraud reports. While anti-fraud services aren’t perfect, many users report a significant decrease in fraud. Expect to pay an additional $20 to $30 per month, as well as a per-transaction fee.

“You might also consider offering additional payment options that take some of the burden off the merchant. For example, Amazon Payments connects customers with their own Amazon accounts, so customers are charged by Amazon and Amazon pays the merchant. The benefit is the orders run through Amazon’s checkpoints, which utilizes several high-end, anti-fraud tools, and you pay fees similar to those already incurred by your merchant account. It could also increase sales, since many online shoppers feel more comfortable giving their payment information to a single, trusted source.”

Practical Ecommerce

Practical Ecommerce

Bio   •   RSS Feed


email-news-env

Sign up for our email newsletter

  1. Matt Winn May 13, 2010 Reply

    Right on! These are all great ways to help prevent fraud before it happens. Thanks for sharing, Pamela.

    There are a couple of other ‘common sense’ tactics we share with our customers. All it takes is an extra scan of the information associated with each order. While it’s not perfect, any time you can see a waving red flag, you’re better prepared to identify credit card fraud.

    1) Take a look at the e-mail address. Be wary of an address that contains random characters, especially if provided through a provider like yahoo or gmail. These accounts are easy to create and have minimal checks. Also, see if the e-mail address corresponds to the customer’s name. If Susie Smith places an order with e-mail address jackiebrown@gmail.com, that might be of concern.

    2) Closely look at all international orders, especially from high-risk regions like Southeast Asia, Africa, Eastern Europe and the Middle East. Several countries in these locations have extremely high rates of credit card fraud.

    3) Watch out for unusually high order amounts. If you receive an order for 18 digital cameras totaling $3000, it might be worth making a call to a customer if this is unusual for your online store.

    4) Use your IP firewall to block fraudsters from multiple attempts. If you identify a particular order as fraudulent, make sure to block their IP address from your system. This will prevent them from coming back and causing problems in the future.

    To Pamela’s point, additional scanning can be a big help. In addition to our ecommerce software, we offer a fraud protection service that takes a multitude of variables, scans them against a massive database, and returns a score to help customers identify potentially fraudulent orders.

    Whatever the case, don’t be afraid to be proactive regarding the security of your business. If you need to send a follow-up email or make a phone call to a customer to verify an order, you won’t offend them. Credit card fraud is on the rise and chargebacks are a frustrating fee. You are the ultimate guardian against fraudsters, so stay safe out there!

    -Matt_at_Volusion

  2. Carlos Rivera May 13, 2010 Reply

    I also suggest, from experience:

    * Be cautious of sending orders to port locations (New York, Miami, Los Angeles) when your Shpping/Billing filters indicate a mismatch. Because fraudsters commonly send products bought with stolen credit cards overseas to re-sell.

    * Scrutinize orders with expedited shipping options (Next Day Air, 2nd Day Air). Criminals often need their products delivered quickly to eliminate detection.

    * Be careful about sending products to business suites. Fraudsters often work in them with teams of people switching rooms on the same floor or many floors to avoid detection.

    * Also, be aware that if your product has a high-resale value (i.e. electronics, jewelry) that it might be targeted by online criminals to be resold on the black market…with you footing the bill on the chargeback!

    Carlos @ Haddrell’s Point

  3. Toolstop May 13, 2010 Reply

    Hi, thanks for the great advice.

    I run an ecommerce site in the UK which sells power tools. These are very sought after items for resale and we are a target for the fraudsters.

    We have been caught out on a number of occassions but we are quite good at spotting fraudsters, however from time to time we let one slip through the net or we cancel a transaction which was legitimate.

    My idea is that through our payment gateway we do a small random refund to the customer and then ask them to verify what that small amount was by checking their credit card statement. The problem doing this is that the payment gateway sends out an email to the customer detailing the refund so a fraudster who has made an order using a hotmail or gmail (untraceable) email address will get the email. I asked the payment gateway to set their system so we can choose if we don’t want to send the email but they point blank refuse.

    I think this idea is a no brainer but the payment gateway provider don’t seem to think so. Anyone got any advice?

  4. Pamela Hazelton May 15, 2010 Reply

    Toolstop:

    That’s an interesting concept. Which payment gateway do you use? Not all of them auto-email – some don’t even store the customer’s email address.

    Pamela

  5. Alex Mulin May 17, 2010 Reply

    > If Susie Smith places an order with e-mail address
    > jackiebrown@gmail.com, that might be of concern

    Our experience shows that fraudsters would use susie.smith@ kinda e-mail rather than i.am.not.susie.smith@ one

    Also, check IP vs billing address distance – distance between IP location and billing address location. Larger means more dangerous.

  6. Susie Brant May 21, 2010 Reply

    Toolstop, we use a similar verification method except that we issue a small charge to the customer’s card instead of a small refund.

    Jamie, the other posters have given you some great advice regarding all of the little things to take into consideration when making that judgment call regarding whether an order is fraud or not. Of course, these add time to your decision-making process. Do some preliminary sorting to make sure you’re not screening ALL of your orders, just the most risky ones. Do you really want to spend 30 minutes verifying a $50 purchase? Probably not. Limit yourself to reviewing only the high dollar/high risk purchases to make best use of your resources.

  7. Alex H. May 21, 2010 Reply

    Thanks for all the great input.

    Toolstop, we are a Merchant Account Provider (US based) and I love that idea.

    We at Social Business Bank are always working on new methods to eliminate chargebacks and fraud.

    Great hints, thank you!

    @all: if you have more ideas, you can contact me at
    alex dot hager at socialbusinessbank dot com

  8. ExCCThf February 10, 2011 Reply

    Let me preface my comments with some background: I used to commit credit card fraud in various forms for a living. Eventually got caught, went to prison for some years, now I’m using my knowledge to help.

    So here’s the deal. If you want to stop online fraud, you have focus on information that the thieves DON’T have. Cards are purchased usually with name, address, social security number, mother’s maiden name, date of birth, card number, exp. date, CVV2 (or CID with AmEx); and in a lot of cases even e-mail and passwords. If you’re relying on any of this–or anything that those things serve as a gateway to, like identifying specific transactions on the account–you’re going to fail and get hit with the chargeback. With all that info, it’s easy to change anything on the account. How do you think alternate addresses get added to the accounts?

    Trying to use IP addresses and geolocation is pointless for fighting any thief that knows what they’re doing. Proxies sorted by state and even city are a penny apiece, if that.

    So how do you stop fraud? Asking the customers random info on the phone is one good way. For example, say the billing address is 125 Oak Street, Whatever City. Go on Google Maps and find out what businesses are close to there, i.e. gas stations, convenience stores, other roads, etc. After confirming that the customer lives at the billing address, ask them "Ms. Cardholder, what gas station is on the corner of Oak and Main Street down the road from your house?" A person who lives there will know right away; a thief will not. You must pay attention to the WAY that they answer. A cardholder will sound confused at first; a thief will sound worried or angry. Also, ask questions where ANY answer would be wrong–like "Is that 7-Eleven on the corner of Oak and Main open 24/7?" when there’s no 7-Eleven or no Main Street intersection. A cardholder will sound confused and not have an answer; a thief will lie. Be creative with your questions; there’s lots of info available online for free.

    You can also ask for a scan or photo of the front and back of the card. The first 6 digits of the card can be used to determine the bank that issued the card and its type. If the first 6 show the bank is Citbank and the "scanned" card is from Bank of America, something’s up. The back is important because it will show the signature and the bank number the customer is supposed to call. This is a difficult check to overcome for thieves who aren’t really good at Photoshop or who don’t have access to high-quality card templates. And who knows, a good lawyer might be able to argue this into a "card-present" transaction where the bank takes the hit instead of you if fraud does slip through.

    Almost impossible to overcome would be live video chat where the customer has to show the actual card and/or ID, especially since this would require a thief to reveal their face on video. As webcams get more ubiquitous, this will (or should) become an increasingly-used tactic.

    My last pointer for the day is to ask for a second card to make a small random (e.g. $0.43) security charge to (which will be reduced from the amount charged to the first card or can be refunded). Asking the customer to verify the amount of THIS charge is significantly harder for thieves than verifying a small charge or refund amount on the purchase card. Most people have more than one card; but most thieves will not have access to more than one card from the same cardholder. Unfortunately there’s not really any way you can overcome a thief who simply says, while pretending to be the customer, that they don’t have any other card; but that’s a factor that can factor into your overall evaluation.

    Above all, make sure you weigh any possible loss against the potential profits from the sale. A $30 lost profit might be a good investment when weighed against a possible $800 loss.